Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

6.
@jschaumaO’Reilly Security 2017
“There are two types of companies:
those that have been hacked and
those that don't know it yet.”
— every #infosec nerd, smugly
No, seriously, that includes yours.
— this guy, jaded

14.
@jschaumaO’Reilly Security 2017
- certiﬁcates with a Not Before date set prior to the
Unix epoch (00:00:00, January 1st, 1970)
- certiﬁcates with a Not Before date set in 2023
- certiﬁcates with a Not Before date set to
”110204212630-1200”
- certiﬁcates with a Not After date set in 1902
- certiﬁcates expiring 10 years in the future
- certiﬁcates expiring in 2100
- certiﬁcates expiring in the year 4752
- self-signed certiﬁcates galore
- various properties having stood up their own CAs
- key length of 512
- certiﬁcates with an MD5 signature
- publicly used certiﬁcates that expired -15 years
- cipher suites using a NULL encryption cipher
- cipher suites using a NULL authentication cipher
- cipher suites oﬀering export ciphers
- 14 diﬀerent versions of OpenSSL
- systems vulnerable to Heartbleed, POODLE,
Logjam, FREAK, DROWN, and $SILLYNAME
- certiﬁcates with ~200 SANs
- certiﬁcates without either a CN or a SAN
- certiﬁcates with a CN of "*"
Weird things we found:

15.
Any sufﬁciently large infrastructure
is indistinguishable from the
internet.
@jschaumaO’Reilly Security 2017

49.
Incremental changes.
Always move forward.
Lead by example, be transparent.
Encourage autonomy.
We can’t reach 100% security,
but we can always improve.
@jschaumaO’Reilly Security 2017
How to be boring: